November 21, 2014

FTC Challenges Privacy Self-Regulation Offered by TRUSTe

by the Privacy and Data Security and Consumer Financial Services Groups

The Federal Trade Commission (FTC) recently announced an enforcement action against TRUSTe, a provider of privacy certifications for online businesses. The settlement resolves allegations that TRUSTe deceived consumers about its recertification program of companies’ privacy practices, as well as perpetuated misrepresentations about TRUSTe’s status as a non-profit entity.

FTC Chairwoman Edith Ramirez stated that “[s]elf-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” While industry self-regulation through third-party certification programs may assist to communicate privacy standards to consumers, companies must take responsibility for and regularly review their own privacy policies and practices.

Since approximately June 1997, TRUSTe has offered companies a “seal” that can be displayed on company websites and mobile applications indicating that the companies meet designated privacy requirements as established by TRUSTe. These requirements include transparency of company practices, verification of privacy practices, and consumer choice regarding the collection and use of personal information. In an FTC blog post, an FTC attorney noted: “Because consumers can’t test the accuracy of [company privacy] claims, they often rely on third-party seals trusted for their expertise and independence… TRUSTe’s Certified Privacy Seals are pretty much everywhere you look on the web.”

For companies that display the privacy seal, TRUSTe purports to recertify privacy seal holders on an annual basis to identify, among other things, material changes to any company privacy policies; changes in company business models; and compliance with external third-party program requirements, such as the Children’s Online Privacy Protection Act (COPPA) or U.S. Department of Commerce self-certification to the U.S./EU Safe Harbor. The FTC’s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in more than 1,000 incidences, despite statements on the TRUSTe website that such recertifications occur each year.

The consent order imposes $200,000 in disgorgement, to be submitted to the U.S. Treasury Department, and additional reporting requirements regarding TRUSTe’s COPPA safe harbor, which the FTC approved in 2001. The settlement also resolves FTC allegations that TRUSTe misrepresented its status as a nonprofit entity.

In a statement supporting the settlement, FTC Chairwoman Ramirez noted that TRUSTe holds a “unique position in the privacy self-regulatory ecosystem” by holding companies accountable for protecting consumer privacy, and thus TRUSTe “should themselves be held to an equally high standard.” Although the FTC did not announce any action being taken against those companies that continued to display the TRUSTe seal despite the lack of any annual recertifications, companies should be conducting their own annual assessments of their privacy practices.

Ballard Spahr's Privacy and Data Security Group regularly works with clients to develop and implement data security plans and privacy policies. Members of the Group can assist clients with privacy self-certifications and compliance with privacy and data security requirements. We encourage any of our clients utilizing TRUSTe’s service to contact us with any questions. The Group includes members of the firm’s Consumer Financial Services Group.

For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com, or John L. Culhane, Jr., at 215.864.8535 or culhane@ballardspahr.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.